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Abstract 

The existing philosophy for space mission control was born in the early days of the space 
program when technology did not exist to put significant control responsibility onboard the 
spacecraft. NASA relied on a team of ground control experts to troubleshoot systems when 
problems occurred. As computing capability improved, more responsibility was handed over to 
the systems software. However, there is still a large contingent of both launch and flight 
controllers supporting each mission. New technology can update this philosophy to increase 
mission assurance and reduce the cost of inter-planetary exploration. 

The advent of model-based diagnosis and intelligent planning software enables spacecraft to 
handle most routine problems automatically and allocate resources in a flexible way to realize 
mission objectives. The manifests for recent missions include multiple subsystems and complex 
experiments. Spacecraft must operate at longer distances from earth where communications 
delays make earthbound command and control impractical. 

NASA’s Ames Research Center (ARC) has demonstrated the utility of onboard diagnosis and 
planning with the Remote Agent experiment in 1999. KSC has pioneered model-based diagnosis 
and demonstrated its utility for ground support operations. KSC and ARC are cooperating in 
research to improve the state of the art of this technology. This paper highlights model-based 
reasoning applications for Moon and Mars missions including in-situ resource utilization and 
enhanced vehicle health monitoring. 

Introduction 

For as long as mankind has existed, we have looked to the heavens and wondered what was out 
there. Early astrologers charted the stars in an effort to unveil the future. As we continued our 
study of the skies we learned that those points of light were Suns, many like our own; and we 
began to speculate about the possibility of life beyond the Earth. For thousands of years answers 
to those questions were beyond our reach. But at the dawn of the 21st Century we are beginning 
to take positive steps towards the answer to this most fundamental question. New techniques in 
astronomy have confirmed the existence of other planets in the Milky Way Galaxy. But these 
discoveries are just tantalizing clues about the possibility of life beyond Earth. And these remote 
planets are still beyond our grasp. The search for life in the Universe must begin closer to home. 

Of all the planets in our solar system, Mars has long been the focus of our attentions. 
Astronomers Giovanni Schiaparelli and Percival Lowell believed that they saw canals crossing 
the face or Mars. (See Figure 1) This led the imagination of mankind to speculate about a race 
struggling to survive on a dying planet. While better telescopes disproved the canal theory, 
recent evidence from NASA suggests that Mars may have once had (or may still have) the 
ingredients necessary for life. Pictures from the Mars Global Surveyor suggest the possibility of 
water flows in the recent geological past. (Figure 2) A couple of Martian meteorites appear to 
have fossilized bacteria in them. (Figure 3) The Nakhla Meteorite, in a recent study sponsored by 
Arizona State University, hints at a possible salty ocean. The only way we will answer these 
questions is to explore the surface extensively. 
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Paleontologists such as Charles D. Wolcott (Figure 4) have spent extraordinary time and effort 
in the wastelands of the Earth searching for fossils. To think that we can find evidence of past 
life on Mars by sampling a few sites with robotic landers is questionable. Interestingly enough. 
Wolcott was the first director of National Advisory Committee for Aeronautics (NACA) the 
precursor to NASA. He spent more than 50 years collecting fossils all over North America. The 
only way to answer the questions about Mars is to send humans to the planet for extended periods 
of time. NASA is now developing the technologies that will enable human exploration at an 
affordable cost. 



Figure 1 - Mars Observation by Lowell Mars - (NASA/JPL) 



Figure 4 - Paleontologist and NASA 
forefather Charles D. Walcott 
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Enabling a Vision 

NASA has had brute force technology available for the exploration of Mars for a number ot 
years. Unfortunately, the cost of an Apollo-styled Mars mission would be extraordinary. In 
1989, President Bush made a call on the 20th anniversary of the first Moon landing for the Nation 
to return to the Moon and press onward to Mars. The plan that NASA presented to Congress cost 
450 billion dollars. As one might expect, the plan was Dead On Arrival! The plan may have 
been dead, but the dream remained alive. 

To drive down the cost and increase the safety of a human Mars mission, a fundamental change 
in the philosophy of space mission control is required. The existing philosophy was born in the 
early days of the space program. In the late 50’s, the technology did not exist to place a 
significant share of the control responsibility in the systems software. In addition, the embedded 
analog controllers were crude by today’s standards. So NASA relied on a team of ground control 
experts. Figure 5 shows the conceptual control systems architecture used by NASA Space 
missions'. The ground controllers monitor telemetry from the spacecraft. When a problem is 
discovered, the controllers use their systems engineering expertise to identify the probable cause 
and propose a solution. This basic architecture has changed little in the 40 years since the dawn 
of human space flight. 




Figure 5 - Control Architecture Based on Ground Experts 


Today’s Software Still Requires Too Much Human Intervention 

What has changed is the ability of computer hardware and software to bear a greater 
responsibility for spacecraft control and configuration. As each generation of spacecraft has 
evolved, more and more capability has been added to both the embedded controllers and the 
systems software. Systems software in the Space Shuttle makes many critical real-time decisions 
throughout the mission. A significant example of this capability came recently on the launch of 
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STS-93. An electrical short caused a momentary power dropout on one of the two main pow er 
buses. This shut down one of two redundant main engine controllers. Due to the sophistication 
of the svstem software, the Shuttle computers quickly selected the backup controller and the 
mission was completed successfully. Although the sophistication of today s space vehicle system 
software is impressive, it still relies upon a room full of ground controllers to monitor the flight 
on a continuous basis. This has always been very expensive, but missions have typically lasted 
only two weeks. A human Mars mission based on the current reference mission could last over 
two years. Not only would this be exorbitantly expensive, it is also impractical due to the 
distances involved. 

The human space program has always had the luxury of almost continuous communications 
between the vehicle and the ground. For years NASA maintained a ground station network 
throughout the world so that the astronauts were never without help from the ground. The first 
time that a communications blackout occurred was during the Apollo program when the 
astronaut’s trajectory carried them to the far side of the moon. Due to their close proximity to 
Earth, all time delays resulting from the distance involved were minimal. Again, Apollo was the 
worst-case scenario to date, and that communications delay was only 3 seconds. Humans on the 
surface of Mars will experience telemetry and communications delays of 20 minutes or more. In 
some cases communications will be impossible due to interference from the Sun. This blackout, 
caused by planetary alignment, can last up to two weeks. 

A New Paradigm for Mission Control 

Clearly, the systems software must take on added responsibility for the identification and 
resolution of problems. This software must have the same systems knowledge that today’s 
ground controllers possess. It must not only have the ability to detect straightforward failures like 
the Shuttle power glitch mentioned above. It must also be able to reason about nuances of system 
degradation. It must also detect erroneous sensor readings that might indicate a supposed problem 
where none truly exists. 

Intelligent Systems Software will have wide ranging impacts on all areas of a Mars mission. It 
can be used in continuous process systems like the environmental control system, wastewater 
regeneration, power generation and In-Situ Resource Utilization (ISRU). 

Kennedy Space Center (KSC) has invested in the development of model-based diagnosis and 
control applications for sixteen years having broad experience in both ground and spacecraft 
systems and software. KSC has now partnered with Ames Research Center (ARC), NASA’s 
Center of Excellence in Information Technology, to create a new paradigm for the control of 
dynamic space systems. ARC has developed model-based diagnosis and intelligent planning 
software that enables spacecraft to handle most routine problems automatically and allocate 
resources in a flexible way to realize mission objectives. ARC demonstrated the utility of onboard 
diagnosis and planning with an experiment aboard Deep Space 1 in 1999. Deep Space One was 
created to test out a series of new technologies from ion propulsion to autonomous spacecraft 
navigation. KSC is now working with ARC to extend this technology into the realm of chemical 
process control and In-situ Resource Utilization using the Reverse Water Gas Shift (RWGS) 
testbed. 

In-situ Resource Utilization (ISRU) 

In-Situ Resource Utilization is an important strategy for NASA’s design reference missions' 
and has become a key component of plans to send human crews to Mars. One of the most 
significant cost factors for Mars exploration is the amount of mass carried to Mars and back. For 
every kilogram making the round trip, forty (40) kilograms must be lifted to low earth orbit at the 


Page 5 of 9 


beginning of the mission. Major savings can be achieved by making some of the fuel for the 
return trip from resources available on the Martian surface because the heaviest part of any 
launch vehicle is the fuel it carries. Furthermore, there are other consumables that are needed in 
large quantities for a long duration mission, such as Oxygen for breathing. This technology has 
the potential to significantly reduce the cost and enhance the safety of human Mars missions. 


Reverse Water Gas Shift (RWGS) 

One of the more promising technologies for ISRU is the Reverse Water Gas Shift (RWGS) 
process. RWGS is a method for producing Oxygen from the atmosphere of Mars, which is mostly 
carbon dioxide. The reaction works as follows: carbon dioxide is combined with hydrogen 
(brought from earth) in the following reaction: C0 2 + H 2 = H 2 0 + CO 

The water produced in the RWGS reactor is collected in a condenser and delivered to an 
electrolyzer. Oxygen produced by electrolysis is stored and the hydrogen is recovered and 
recirculated into the input stream. (See below Figure 6 - Simplified RWGS Schematic) Since 
most of the hydrogen is reused, the import requirements from earth are small. 
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Figure 6 - Simplified RWGS Schematic 


Implementing these chemical processes on the Martian surface will take a considerable amount 
of process engineering. C0 2 must be acquired, compressed and stored. The products of the 
reaction must be liquefied and stored. Hydrogen for the RWGS process will likely be delivered to 
the surface as a cryogen and will require processing to supply it as a process gas. The reactions 
themselves are optimized over a narrow range of temperature and gas composition. Therefore the 
control system must be able to adjust to variations in operating conditions and equipment health 
to maintain optimal fuel production rates. These requirements emphasize the need for intelligent 
systems control. 

Autonomous monitoring and control 

Current mission profiles call for ISRU systems to operate unattended on the Mars surface for 
two years or more without human intervention. During such a long period it is certain that some 
subsystem and measurement failures will occur. Satellites in earth orbit are designed for such 
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lifetimes; but for reasons already discussed, the Mars mission will not enjoy the luxury of round- 
the-clock human operators who are in constant contact with the vehicle. The task of the 
autonomous system is to be truly fault-tolerant by taking corrective action without ground 
intervention. This requires the ability to continuously adapt to degraded sensor environments as 
well as automated planning for resource and redundancy management. 

Autonomous Control of a RWGS System 

The RWGS test bed uses Livingstone monitoring and diagnosis software developed at ARC. 
ARC has been working with KSC to apply Livingstone to ISRU since 1998. The software 
provides built-in autonomy capabilities for RWGS. 

The heart of the RWGS intelligent system is a high-level system model of the test bed written 
in the Livingstone modeling language. The model is a simple, declarative statement of the 
behavior of RWGS components and the connections between them. Information from the design 
of the test bed is simply translated, part-by-part and concept-by-concept into Livingstone 
statements. 

Figure 7 is an example of a valve component model. The engineer has defined finite states for 
the valve corresponding to various normal and abnormal operating modes. Transitions are 
defined corresponding to device commands and faults. Logical propositions define the behavior 
of the valve while it is in the associated mode. 


Solenoid valve Valve states 



Figure 7 - Valve Component Model 


One of the key benefits of this modeling paradigm is that the engineer is only responsible for 
describing the local behavior of each component (Figure 7) and the relationships that exist 
between components. Livingstone then uses this specification to compose a larger, system model 
that can be used to reason about the global behavior of the entire system given the mode of each 
component. Once the model is complete and connected to test bed instrumentation, the advisory 
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and autonomy features of the Livingstone engine are available for use. As discussed above, these 
benefits include system health monitoring, diagnosis of component failures, flexible 
reconfiguration, redundancy management, adaptability to degraded environments, and tolerance 
for component faults and incomplete sensor information. 

Schematic relationship Relationships expressed in 

Between valve components Modeling language 



(defmodule fiowModule (?name) 

(: structure 

(solcnoidVa!vc3Way SV1) ; three valves in the module 
(solenoidValve2Way SV2) 

(solenoidVaive2Way SV3)) 

(connections ; connections between valves 

(and 

(* (pressure (input SV2)) (pressure (output-set S V 1 ))) 

(“ (pressure (input SV3)) (pressure (output-reset S V 1 )))))) 



Figure 8 - Defining Relationships Between Components 

Benefits of Intelligent Software 

The RWGS test bed is designed for unattended operation, and its control system illustrates 
many features and advantages of intelligent software. Two examples of examples are highlighted 
below: redundancy management and adaptability to degraded environments 

Redundancy Management 

One example of component redundancy in RWGS is gas supply valves. As mentioned above, 
the RWGS mixes two gas streams into a reactor to achieve the desired products. Feed flows from 
each of these gas sources are connected with redundant components as in Figure 8. Since this 
redundancy is part of the model, Livingstone is able to reason about how a valve such as SV2 
(above) that is stuck closed could cause a low feed rate. Livingstone’s system model simulates 
global behavior of RWGS with a stuck-closed valve. The simulation predicts that this would 
result in anomalous gas composition ratios. Livingstone automatically compares the predicted 
compositions with current observations from RWGS measurements and is able to confirm the 
diagnosis. In addition, the Livingstone engine is capable of manipulating the model to determine 
whether redundant flow paths exist for restoring nominal flows. In the “Flow Module” of Figure 
8, a redundant path does exist, and Livingstone is capable of directing the control executive to 
reset SVt, open the backup valve (SV3) and overcome the fault to continue normal production. 

Adapting to Degraded Environments 

The principal source of Hydrogen flow in RWGS is the electrolyzer (See Figure 6 above). 
Flowmeters measure its hydrogen production. An ammeter measures the current flowing in the 
electrolyzer. By the chemical equation for the electrolysis of water, we know there is a 
relationship between hydrogen production and electrolyzer current. This makes it possible to use 
the ammeter as a check on hydrogen flow or to use the flowmeter as a measurement of 
electrolyzer current. If either measurement malfunctions while in operation on Mars, the other 
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can be used as a backup. The chemical equations for electrolysis are part of the Livingstone 
model. Liv ingstone automatically takes advantage of the ‘‘logical redundancy” in the RWGS 
process. Even greater redundancy is available vis-a-vis the electrolyzer since flowmeters also 
measure the oxygen production rate of the system. The oxygen production rate is related to 
electrolyzer current by the same chemical equation for water electrolysis. This equation also 
computes the water consumption of the electrolyzer. Since a level sensor on the RWGS 
condenser directly measures water use (See Figure 6 above) all four of these measurements can 
be used to track the others and maintain effective control of various parts of RWGS. This feature 
greatly enhances mission assurance and makes the RWGS control system extremely robust and 
fault tolerant. The loss of one or more of these four measurements over the operating life of 
RWGS will not hinder effective control of the system. 

Concluding Remarks 

Planetary research in recent decades has made it clear that exploration of Mars is the most 
feasible alternative for discovering evidence of life beyond Earth. Furthermore, it is apparent that 
painstaking, human investigation is needed to collect and examine material containing fossils or 
other evidence of biological interest. NASA is developing intelligent software and ISRU 
technologies that will make human exploration affordable and feasible. Model-based software 
using the Livingstone system will enable systems to work autonomously for long periods of time 
in degraded environments. Computer hardware and software is now able to bear a greater 
responsibility for fulfilling the vision of exploration of the solar system. 
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